Hacking Book | Free Online Hacking Learning


application of operation and maintenance security issues security risks

Posted by bassolino at 2020-03-15

One of the values of safety is to protect the business.

Build a solid barrier to prevent attackers from entering; build a defense in depth system to prevent attackers from taking even if they can enter.

However, the impact of business continuity and availability is not only to avoid attacks, but also potential security risks in the application online process.

There are many cases of application publishing online, such as application application configuration domain name, application configuration nginx external network forwarding, application application and external partners for interface joint debugging; which will also involve the test environment and production environment, internal application access external application and internal application interface external access... A little less will bring security risks that can not be ignored:

1. Incorrect configuration of domain name and filing information

1.1 laws and regulations

The inspection of safety and compliance by higher authorities has been significantly strengthened this year. In addition to the regular network security protection inspection, it also involves the domain name filing information inspection related to the administrative measures for filing of non operational Internet information services.

1.2 safety incidents

Recently, a domain name of the company has been shut down because of the problem of filing information. The event flow is roughly as follows:

If the information of a website is changed but the ICP filing information is not updated in time, the filing management system can still find the original filing information -- > the relevant superior department finds that the filing information is inconsistent -- > the filing information in the ICP filing management system is cleared -- > the superior department issues an order to rectify or shut down on a certain day -- > the operator receives the order and informs the user or shut down directly.

In short, that is: the actual information of the domain name is not consistent with the filing information, and the domain name is not registered will face the risk of the website being sealed. However, it may not only affect the websites with inconsistent record information, but also lead to a large number of website service interruptions. According to an operator's explanation: the shutdown can only be operated through optical fiber. When receiving the instruction, the optical fiber of the non-conforming website will be shut down; if there are other sites on the optical fiber, they will be involved together.

1.3 Prevention Guide

When each new business goes online, the security group or relevant personnel check whether the system to be released is correctly configured for filing information. Generally speaking, domain name registration refers to the primary domain name, such as xxxy.com; when the business party applies to use the secondary domain name or other multi-level domain name, such as zzz.xxxy.com, the filing number of xxxy.com can be used directly without additional filing.

In addition, the official record information inquiry address is provided: http://www.miibeian.gov.cn/icp/publish/query/icpmemoinfo ﹐ showpage.action

2. Too many configuration of application access rights to the Internet

2.1 work orders with inconsistent requirements

Recently, the operation and maintenance students of the application group will receive such work order requirements: apply to publish the application to the Internet through nginx configuration. If there is no special demand, it is a very reasonable demand.

But after communication, the actual demand is: the application needs to access the Internet.

That is, the application has access to the Internet and provides Internet services at the same time (open to the outside world, increase attack surface)?

2.2 Prevention Guide

Professional people may not even know the basic needs.

In the face of the operation of applying for opening to the outside world, as the last pipe card before going online, we need to be careful.

3. Publish the same application configuration to multiple domain names

3.1 on line application

The same is the feedback from the application operation and maintenance students: unsafe.war has been put on the online environment www.xxyy.com, and now the business side wants to apply to publish unsafe.war to the online environment www.zzxx.com for the convenience of debugging.

That is: how many Internet portals will there be for the same application?

3.2 Prevention Guide

Faced with this "unsafe" demand, the students of awesome operations and safety informed No about the business after they were informed of safety. No matter from the application operation and maintenance compliance, or from the security point of view, it is not a reasonable demand.

However, this kind of situation may be "bypassed". If the business party slightly changes the package name or the operation and maintenance students cannot remember that it has been released, it will be treated as a new application. In terms of security, all applications online should go through security assessment (landing version SDL), and the risk of "bypassing" is actually controllable and acceptable; however, in terms of operation and maintenance, it may bring challenges to daily operation.

4. Testing the external secondary security risks of domain names

4.1 test the opening of domain name Internet

As we all know, the test environment may be more complex, and the probability of being attacked will be higher than that of the production system. But in the actual work, there are some applications that need to publish the test environment to the public network for joint debugging and testing.

First, there is no doubt that the attack area has been expanded;

Secondly, if the business subsequently applies for more war packages under the domain name, the operation and maintenance can not remember, which will bring more attack surface and more potential security risks.

4.2 Prevention Guide

It can be seen that security is not only required for business (pre launch security assessment, landing version SDL), but also for operation and maintenance specifications or checks. In addition, regular security scanning and asset discovery, security monitoring and risk assessment for the open testing environment of the Internet, will be an important tool for timely and accurate discovery of security problems.

Past review

【1】 [security test] local storage of sensitive information of Android App security test

【2】 [penetration skills] collect "technical work" in SRC information

【3】 [penetration skill] on the bottleneck of conventional penetration and the breakthrough of divergent thinking through examples

【4】 [vulnerability appreciation] holes for security operation and maintenance

【5】 [vulnerability appreciation] holes in security business

【6】 [emergency response] remote implanting mining script due to unauthorized access of redis (Defense part)

【7】 [emergency response] remote implanting mining script due to unauthorized access of redis (attack)

【8】 [emergency response] remote implanting mining script due to unauthorized access of redis (end)

【9】 [enterprise safety] requirements for enterprise safety construction

【10】 Brief introduction of enterprise security threat

【11】 [enterprise security] construction of enterprise security framework

【12】 [enterprise security] enterprise security project - Test Environment Intranet

【13】 [enterprise security] enterprise security project - GitHub Information Disclosure Project

【14】 [enterprise security] enterprise security project - SMS verification code security

【15】 [enterprise safety] enterprise safety project - front end bypass special rectification

【16】 [play snake together] open mode of Python weapon Library

【17】 [play snake together] asset handling in those vulnerability scanners

【18】 [play snake together] I of those devices in Python code audit

【19】 [hole digging technique] that simple Threat Intelligence

【20】 [play snake together] device in nodejs code audit

[21] [play snake together] those devices in Python code audit II

[22] [sense of participation] C3 sense of participation in the security summit

[23] [enterprise safety] safety test in the eyes of Party A

[24] [playing snake together] learning ways of fortify loopholes

[25] [business security] other hidden dangers of business security